Business Management zone
Feature
FD's Diary - Planning a meeting
The FD's being facilitated
January 31 - Christening done.
New stock controller appointed (I hope - but 2 stood out as OK and we haven't rejected the second yet). The curiosity is (and Ops thinks this is just me building an all female empire) that the new stock controller is a women. I know I shouldn't say that's curious, but how many have you come across? Her background has been largely in retail, but the credentials are good and she's done some accounting in her time. All looks OK. I'm optimistic.
So, back to the rest of life. Like getting the budget out. For this we need a board meeting before approval can be given, so it's quite a big issue under our shareholder agreement. Theoretically without a budget we should shut down. We wouldn't, but I want it in the bag this month so that I can then face year end on 28 February with some comfort.
One other thing - we're getting our divisional managers in next week to discuss controls, what they want, how they work, what's important and what isn't. Even Ops agrees this is high on his agenda as he'd rather not have to talk about the issue with the ex-CEO again.
We ummed and ahhed about getting the auditors involved. And we wondered about the merits of me running the meeting. And in the end we called a couple of p-people we knew, one of whom suggested the local enterprise agency. They suggested a facilitator be used for the meeting and gave us a couple of names. It seemed such a good idea given the cost of getting people together in the first place that we decided to do it. One seemed the more clued up on issues of concern to us so they got the job. Cheaper than the auditors by miles and if it helps us to find our own solution well worth it.
* * *
January 26 - Well, I was an optimist yesterday. The profit did not look right at the first attempt. It was too good! I know we think the new kit will improve our efficiency, but not that much.
So, Ops and I had a session and came to the conclusion that we were putting ourselves up to be slaughtered if we offered the resulting figures as a budget, so I'm afraid we have played that old budget trick and added back in a load of labour costs "just in case". I know we shouldn't do it - but only tell me I'm wrong if you've never done the same.
The plus is that we can still afford the IT upgrades that quite a lot of the system is calling out for. It will be good to give people new boxes when they are groaning a bit at the moment, and to consign all non-flat screens to the tip. That will be easy brownie points won, as will be improved laptops and wireless communication for people on the road, because that's overdue as well.
That's also paid for by the fact that we won't need to replace some vans because now Ops has worked out the consequence of our new way of working it's clear we'll be doing fewer miles with fewer people. I like that.
If I can get all that lot into the spreadsheet then I've still got time to do some interviews for a stock controller this afternoon. After which it's a weekend off, if you call a christening party for every far flung relative a weekend off.
* * *
January 25 - Enough of this accounting nonsense. Today it's the budget.
Sales agreed their figures a while ago. Ops and I have covered costs (we should have delegated more but failed to do so in the end) and we invited a range of people to bid for new capital equipment, which they did, and overall quite realistically.
Today the job is to pull it all together. Thankfully the model to do this has existed for some time. Yes, it's Excel. Yes, I know all about the supposed perils of such things. No, I won't change because I've used the same basic drive model for cash flows for years, have built in an enormous range of checks and balances, and know exactly how it works.
With luck by this afternoon I'll know if profit is on target, what the cash flow looks like and who we must disappoint with regard to their capital bids if we're also to keep the shareholders happy with their inflated expectations of the returns they are due. And if all that can be done I'll then settle down and get the note to the board written justifying the whole approach and we can put it to bed (subject to their approval). If I can do all that it will have been a good day's work.
* * *
January 24 ' As if yesterday's provocations were not enough now I've had Mrs. CEO to deal with.
December accounts went out well on time. #3 had done a good job and the routine seems to be settling down quite well. Then Mrs. CEO phones #3 whilst I'm out at a meeting with a customer to support the sales team on a contract issue, and complains they don't add up and what on earth is #3 doing issuing accounts that are wrong?
#3 was, understandably, upset. Mrs. CEO in full flow is not a pretty sight or sound. But it transpired that all that did not "add up" is a part of the cash flow where we round numbers to the nearest £1,000. We actually prepare the figures in detail, but I hate spurious accuracy so some time ago I took to dividing the results by 1,000 to give an easier and more appropriate overview. And of course, using Excel means the odd rounding difference creeps through so that some things look as though they're one out. And that's all.
This is micro-management gone mad. But I had to placate #3 first of all and then explain to Mrs. CEO that there was nothing wrong with the accounts at all, and the differences were nothing new. #3 has confidence in me, so that was the easy bit. Mrs. CEO does not always share that confidence and so that was hard. Eventually I agreed to send her the support figures not rounded, which do add up. This shut her up. But what a waste of time. I really would not have stayed here if she (or her ex) had.
PS. Thanks to those who commented on yesterday's entry. Some faith in my own sanity has been restored. It's easy to lose that faith when under pressure.
* * *
January 23 - I've not done this before, but I've had another think about what John Sartoris has said here and I think I'm going to comment in my diary. At first I thought what he said a bit of a joke. I admit I don't now. This might just be that I've not had a decent night's sleep since November and it's beginning to tell. It could just be I think John is wrong.
I don't think our systems failed, as he seems to suggest. And I don' think Ops and I are at fault. So I'm going to say so. This is why (sorry for the list, can't think of a better way to do it):
1. There was almost certainly a crime perpetrated. We haven't got enough evidence for court, but it looks like a theft to me. The person who we think did it has gone. The control environment has improved.
2. We do not know if the stock controller was involved in the crime or was asleep on the job, it cannot be proved.
3. We do know that a stock count (a periodic control) found the difference.
4. We do know the stock controller did not report the error. That was a weakness in the control, but clearly because of a human over-ride ' and you can't stop them in any system.
5. #3 did spot the difference, both in stock and in the management accounts ' in other words another control found the human over-ride of the first control. Full marks for that, I say.
6. We went into action (despite other possible diversions) to investigate the issue, and have identified the problem and literally removed the weakness, without further risk accruing (full marks again, I say).
7. We have improved one identified weakness on part number logging, and evidence is people are now doing it (good marks, once more)
8. We're beginning to look at other controls again (an appropriate reaction, I think).
In the meantime, sure we suffered a loss, and it may have been enough to distort a monthly account, but was in no way material to the overall view of the accounts. In other words, there was no audit risk, and the controls stopped it before it created one, which is why I object to an additional fee to cover it.
Now I am wondering what John would have me do. Am I meant to have a warehouse like a fortress? Double check everyone all the time? Stock count everything every day? Controls have economic limits to the extent they can be afforded. Here, maybe, we actually got that balance right.
But I'm not going to have it said that Ops and I let the company down because someone turned out to be a crook and the stock controller made some serious errors of judgement, possibly to hide the fact that he thought he should have found the problem earlier (which is a real chance ' I still can't prove he benefited from anything or even knew of it until the count that he did not report). These things happen in life. That's why you have controls.
It seems John Sartoris might think there is a world where nothing goes wrong and auditors are objective. Neither is true as far as I know. In which case I accept none of the suggestions John Sartoris makes in his last two paragraphs. I wonder, is he an auditor and has he run a company? It seems unlikely given what he says but it would be interesting to know.
* * *
January 20 - Back to monitoring job applicants again. We lost no time in advertising the stock controller's job and I'm doing the first scan.
Why does someone think that driving a fork lift truck is enough qualification for the job?
More bizarre is the out of work actor looking for a change in direction in his career.
So far just three look worth an interview, but as I always remind myself, one would be enough if they were the right candidate, so I must hope.
* * *
January 18 - Had a long discussion with our auditor. He wanted to increase the audit fee because of the additional risk with regard to stock this year. I have to say I didn't agree.
"What additional risk?" I asked.
'We had a problem, we found it, we've solved it and additional checks since then have not indicated have a problem anywhere else' I continued. 'Sure I'm willing to consider a small extra fee for reviewing that evidence as part of a review of the effectiveness of our systems, but I'm certainly not tolerating the idea of a 100% auditor monitored stock count on the assumption that there's been a complete breakdown in our control environment.'
'After all,' I said 'isn't it the case that controls (including analytical review when preparing the management accounts, which found this one) are meant to pick up and correct the cause of errors as well as simply stop them. Isn't it a credit to the system that it worked?'
I think he bought my point in the end, but I had to be tough. But he's also really confirmed the doubt that had already been implanted about his firm's suitability to undertake a review of our controls. I feel he's trying to exploit a situation for his advantage and not to benefit us. And that's not a way to win friends, or business.
* * *
January 16 - I spent too much time at the weekend thinking about how to get a systems review under way. One of the comments on this diary was really helpful in that respect. Maybe the auditors are not the right way to go at the moment, although I have already contacted them. After all, I did have to tell them what had happened in any event and show clear intention of improving things.
But, once the idea of a brainstorm had been implanted I have to admit that its appeal has grown. The advantage seems to be that this requires people to buy into what we are doing in a way that we could not otherwise achieve. Maybe, just maybe this might also solve our problem with the manager in the north. He does not buy into the system and we want him to. I cannot help but think that if he was asked to help design controls to improve how things operate then he might want to operate them correctly.
But this afternoon is with the sales guys finalising their budget documentation.
* * *
January 13 ' Some good news. The week's cash receipts have been high. It was just a Christmas blip.
#3 has also reported that sentiment is now moving towards the fact that we did the right thing to get rid of the stock controller. The PR offensive worked.
But I'm exhausted.
The reality of work and new babies is they don't mix that well. I want a long lie in tomorrow. The reality is I'm at football training at 9.
* * *
January 12 - I can't believe how much time it has taken to deal with the fallout from our stock problem.
The stock controller had been here for some time. People were shocked that he has gone. This has required patient explanation. In particular, we've had to explain that he has not been accused of theft or anything like it. People have presumed that was the case.
And it takes some time to explain to some people that not complying with systems really is serious, especially when the company loses money as a result, as it no doubt has in this case.
By and large Ops has been on the road reassuring people, and I have done it in the office. I think the investment of effort will be worth it, but for those who say that prevention is better than cure, I agree.
The trouble is that right now I'm up to my neck in it. So we are asking the shareholders for a budget to pay the auditors to review some critical systems in the next couple of months to see if there are other things we should be tackling. I can't think of another solution to the problem at present, much as I hate spending money in this way.
* * *
January 9 - Well, the meeting with the stock controller happened. I'm not sure who was looking forward to it least, Ops or him. At Ops suggestion I handled it for us as I was not his line manager, and Ops was. Our solicitor supported me, but it was agreed I should ask the questions.
We started by trying to establish common ground. Did he, for example agree that the stock differences had arisen? And did he agree that he had entered them in the system following a count he had organised? And had he not reported them? Did he agree that they were significant as defined by the reporting criteria that had been agreed for such differences and that they should therefore have been reported for further investigation?
All of this was pretty straightforward stuff since objectively all were true and there was documentary evidence to support it. His solicitor confirmed he agreed all these facts after we produced the papers that showed them to be true and that the systems were in existence and were documented. More than that, we could show that other differences had been reported by him in the past and had been investigated.
Did he therefore agree that he had failed to do what was required of him? No, he said. He'd just made a mistake. But, we pointed out, anyone can do that, but mistakes tend to happen on the spur of the moment, or with regard to small items. He'd had the stock count report for several days before he actioned it, and then he made several entries to try to put it right over several stock items, with more than one go in some cases. This wasn't something he hadn't had to think about. It was clear that he'd given this quite a lot of thought. So why hadn't he reported it?
He didn't know he said. It was a mistake.
So we then asked why he had called the mobile number of the now departed West Midlands man during the period between the stock count and posting the adjustments. And why again after the issue had come to light and before both rather rapidly disappeared from the premises, as the phone system log showed (at which point I blessed the investment we made in new phone technology shortly after I got here).
This really did stump him. He looked shifty and nervous and tried to say these were just routine discussions of stock issues, but the frequency of calls suggested they talked more often than was normal by some way with most people. Again he could not explain why, but denied there was anything improper in his having done so.
Did he have anything he wanted to say, we asked? Only that he felt he was being unfairly accused of being involved in a stock loss he said. But we made clear that was not what he was being accused of. He was being accused of failing to report stock losses which he had discovered. That was something quite different and serious in view of their size on this occasion.
We retired, with the agreement of his solicitor. Our solicitor said we had charged him with gross misconduct in failing to protect the assets of the company and to report a loss of them when that was found. As a matter of fact there was a loss, and he did not deny it. As a matter of fact he could not explain why he had not reported it. Circumstantially it looked likely he had discussed it with others. His behavior in posting the differences suggested he must be aware of the gravity of the issue. He concluded that case was convincing. Equally, it did not prove he had been party to anything else with any degree of certainty.
He suggested we could dismiss on grounds of gross misconduct but we should take it no further.
So we want back and advised of our decision. His solicitor asked if we would give a reference in view of his length of employment. We confirmed we would, but only to confirm that he had been employed between agreed dates.
And he then said he would discuss the matter with his client and advise if he wished to appeal. We agreed that if he wished to appeal the appeal hearing would be by the ex CEO and Mrs. CEO, being the non executive directors of the company. At that point the Stock Controller laughed and said he accepted the decision. Which somewhat undermined any grounds for appeal there might have been and he left with a P45, a cheque to close of business today plus holiday pay and his personal effects.
I think that's over as far as he's concerned. And we're stuck now with the probability that there's no case against him and documentation in the West Midlands is not good enough to prove a case in court with anyone else.
Still, I think we've eliminated the problem. We just need a good new stock controller, and they're as rare as hen's teeth in my opinion.
I'm exhausted. Time to go home for a drink. Or at least to give the baby a bottle.
* * *
January 6 - Ops and I had our usual Friday session. Our stresses seem to be behind us at the moment. Admittedly, he's nervous about next week, but that's partly because he's worried about how the shareholders are reacting to all the problems he's had to report on stock differences, staff departing in a hurry and a stock controller under a cloud. The ex-CEO is muttering about the fact that we should have found it all a lot sooner, although quite how of course he cannot say.
But on the other hand Ops is energised about the new year and is really getting to see that planning the roll out of new systems across as many sites as we can is possible, and should pay back within a fairly short period of time. I know he believes it because he's changing his recruitment ideas and the training programmes people get so that they are being focussed on the new kit. As a result I'm now convinced we can deliver a meaningful budget so I offered to cover some of his work on it as a result. Give and take seems to be the order of the day.
But we are both having to think hard about a new problem and it's not one I'm really experienced in. The West Midlands (where our stock problem occurred) is for our purposes in our northern division. We have four divisional managers and in many ways the chap who runs the northern team (which is small and coves a wide area) has the greatest autonomy precisely because they are further from base and his people are less well known here as a result.
That would be good if all was going well. But it's clear that a problem arose in his area, even if, admittedly with someone who came to base more often than most of his people do. He appears reluctant to think it has anything to do with him, or that he might have monitored the unusual pattern of stock usage on his patch more effectively.
Our problem is simple: he's overall good, he's been with us for a long time and we've not had real problems before (at least that we know about). But now that a management issue has come up it seems fairly apparent that he doesn't really manage at all. He just trusts people to get on with things. So how do we get someone who isn't here much to do a job he's not keen to accept responsibility for even though we think it's in his job description (not that Ops can find that he's ever had one, which does not help). Answers on the back of a postcard please to.....
* * *
January 5 - I know I expect cash to be tight over Christmas, but #3 and I reviewed December month end figures this morning and they're worse than we expected.
Inevitably December is a dull month. We lose at least a third of the month for new product installations. On the other hand most of our service contracts accrue evenly throughout the year, which helps P & L reporting. But the really noticeable impact is the fact that people seem to have put off paying in a really big way.
It's mass cash chasing time now. Our new person has her work cut out dealing with this lot. Even those we usually never have to chase might be on the statement list this month.
* * *
January 3 ' Back to work.
I called Ops after the Christmas Day debacle. Much to my surprise I learned he had been in church when he was called out, and I had him marked out as a regular heathen.
Since then though I managed to take the entire Christmas period off and as such my stock at home and my energy levels have both risen somewhat.
I think I'll need it. The stock controller has appointed a solicitor and we do have a letter saying that they will attend on 9 January. As a result we are getting ours to attend as well. It's a bit heavy, but I don't want to get this wrong and I believe that some upfront expenditure might save later aggravation.
And now, it's time to clear the desk, talk to everyone (which seems to take for ever after the Christmas holiday) and then, with a bit of luck, do some work. Because although I don't mention it very often, I gather that's what I am employed to do.
* * *
In December the FD found that substantial stock problems had been uncovered during his paternity leave.
For previous installments of the FD's Diary, see:
November
October
September
August
July
June
May
April
March
February
January
December
November
October
September
August
July
June
May
April
March
February
January
December
November
October
AccountingWEB.co.uk 31-Jan-2006
Categories: Finance, CEO's Diary
Times read: 18594
pay no attention to them, continue to contribute, philosophically accounting web would be a poorer place without you.
Ham - Eggs
Morecambe - Wise
England - losing quarter finalists
Sartoris - wrong
I'd suggest the FD checks out the Hazardous Waste (England and Wales) Regulations 2005 and the Lists of Wastes (England) Regulations 2005 before sending old CRT monitors 'to the tip'. Better still, have a look at donateapc.org.uk - there is no sense destroying a perfectly useful piece of kit just because it isn't as sexy as a brand new LCD monitor.
"He's got to be either an academic (which is worrying) or someone who's company went bust and he's blaming his auditors."
I've met three senior and well-regarded academics, two from Harvard and one from the UK, none of whom had so much as a toehold on the reality of auditing, being full of their own fanciful theories. So 'academic' is my guess.
"I’m convinced Mr Sartoris works in the profession
I’m pretty sure he is an auditor"
No chance... his comments are so mis-informed I just can't see it.
He's got to be either an academic (which is worrying) or someone who's company went bust and he's blaming his auditors.
Turning away from stocktakes, management information, such as monthly management accounts, forms the basis for operational decisions, not financial. Because the business is run on the back of MI, the process of preparing the MI needs to be rigorous, incorporating controls at various levels to ensure that it reflects the operational reality. Questions asked when trying to explaining variances in monthly management accounts have the potential to detect when the accounting records are wrong (which is why the auditors may decide to rely on the preparation process as a detective control over some of the numbers) but more often will lead to an operational explanation. In the current instance, the management accounts preparation process worked, since #3 spotted that figures that should have stacked up, didn't - even though they were correct.
Well done all round, I say.
As for the FD and Ops being where the buck stops, bucks don’t come in just the one size. The people at the top are where the really big bucks stop; small bucks like the stock problem stop a lot earlier than Ops and the FD, which is why there are various management and supervisory levels below them. That’s why Tony is still there after Peter and David have both gone more than once, and why Ruth is still hanging on after a medium-sized buck.
I believe what I say here is relevant because auditors and accountants tend to think about controls purely as financial controls, and this colours everything.
Stocktakes are largely an operational control. They detect instances of inaccurate stock records arising from any cause, whether unrecorded or misrecorded issues, misrecorded or invalid receipts, theft, or other unauthorised stock movements, as well as identifying damaged stock, and this allows the records to be changed to reflect the physical reality. A business needs accurate records of stock positions if it is to simultaneously minimise both stockholding costs and stockouts. The less accurate your records, the more buffer stock you need or the more stockouts you will suffer.
If a stocktake shows unacceptable discrepancies then these will be investigated. In retail, for example, where stock records are updated from scanned barcodes, stock "shrinkage" may arise directly from theft of stock, or less directly from unrecorded sales and theft of the cash (putting aside other reasons for now): different problems requiring different solutions. In practice a certain low level of stock loss will be accepted as a cost of doing business (as stricter preventive controls would cost more than they would save, either directly, or by deterring potential customers and reducing or limiting sales), and action will not be taken until that level is exceeded. This reinforces what has already been said about the need to have regard to both the costs and benefits of controls, but I would add that the relevant costs and benefits can be operational, financial, or both.
In most businesses that hold stock, the year-end stocktake does have an effect on the financial statements as it is the basis for the closing stock figure in the accounts and thence cost of sales and so on. But the stocktake is not really a financial control as well as an operational one; it is really a process to ascertain the facts and form the basis for a journal that will reflect them. It is not *preventing* anything being recorded or processed wrongly, nor is it *detecting and correcting* anything wrongly recorded - in any direct sense. It just identifies stock movements (and deterioration) that the system is not designed to record as they happen. The auditors may call it a control over the year-end stock figure, but in reality the controls they rely on are the controls over the stocktaking process itself, which is why they read the instructions, attend and watch how the count is carried out and supervised, and do their own test counts to gauge how rigorous and reliable the count is. (They are motivated in part by the realisation that closing stock presents the easiest way for management to "massage" the accounts, with every pound of misstatement going straight to PBT.)
Much of what John Sartoris says below is nonsense, as are his conclusions. For example, auditors do not "report on the performance of management", any more than they report on how well or how badly the company has done; they merely certify (I paraphrase very loosely) that the accounts report what has happened correctly, according to the relevant statutory and regulatory regime, the accounting principles followed and the accounting policies adopted. How well those accounts reflect management's performance, and how good or bad that performance is, is a matter for the reader's judgment in the light of a huge host of factors.
The auditors shouldn't give a second's thought to what John says about FD and Ops increasing audit risk. Since I know what "audit risk" means, then, were I FD's auditor, I would take a lot of comfort from what has happened rather than the opposite: my necessary professional scepticism would have been allayed to an extent by the speed and appropriateness of the company's response(s).
It is notable that John sees other contributors'"wilful blindness", and spots that "FD (and his fans) are over-defensive and protest too much - nearly always a sure sign that they are in the wrong", while of course he is neither blind nor wrong. To defend not at all is most easily construed as agreement. Personally I wonder where justification of a position shades into "protest" and becomes "overdefensive", how much protest is enough and how much is "too much" (and how John can tell so infallibly when all these boundaries are crossed). But then as John's style is dogmatic assertion, maybe all reasoned argument looks like over-defensive protest to him.
I place much more stock in an argued rebuttal than a "methinks the FD doth protest too much" ad hominem flame with nothing at all to back it up. Call me an FD "fan": I don't care; why I share FD's view is irrelevant, and the label, which of course John means to apply to everyone who shares FD's views rather than his own, is merely a cheap pejorative put-down intended to devalue all dissenting contributions by attributing them to illogical fanatics.
When one side accuses the other of being over-defensive and protesting too much it is nearly always a sure sign that they know they have lost the argument!
I’m convinced Mr Sartoris works in the profession
I’m pretty sure he is an auditor
I’m thinking he’s having a right laugh
good to hear from Mr Sartoris its been too long John
I agree with John in that :
a. The final buck must stop with the FD.
b. It is not a good idea for a companies
Auditors to be paid to review their
controls for the reasons outlined.
Having said that, as this error was quickly identified and the issues addressed, then this is an indication that the current controls within the company are working.
I would suggest that the FD and others should not be so sensitive and don't beat themselves up - just learn from these events and move on.
you should go on big brother - you would be in good company, although you will have to hurry up as george may wee be evicted soon.
... FD (and his fans) are over-defensive and protest too much - nearly always a sure sign that they are in the wrong.
From the statement of directors' responsibilities....
"They are also responsible for safeguarding the assets of the company and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities"
Key word is "reasonable".
IMO the controls have worked, a problem was found and action taken before it became material.
The FD's done his job.
The auditors are trying it on.
Sartoris's comments are a joke. Love to hear what he does for a living.....
If the FD had been asked/expected to design a zero failure control systems then, without doubt, his head should be on the block. However, if, as is more likely, the management are trying to run a profitable business with the aim of balancing risk to reward, then it is not so clear cut.
The FSA accept that controls will fail in regulated businesses and they state that the regulatory controls they have put in place do not create a zero failure regime i.e. they accept that regulated firms will sometime fail. If the FSA are prepared to run a system that could allow a bank or insurer to fail, is it unreasonable for the FD's business to operate a system where some stock may go missing and not be picked up immediately?
Yes, a control failed, resulting in a delay in management identifying the lost stock, and costs and disruption were incurred as a result of the investigation, but as the FD has stated, other controls did pick up the problem despite a deliberate attempt to hide it.
Surely, the only people who can decide whether the FD (or Ops who would probably be more directly responsible for stock control) failed are the shareholders as they appointed Ops and the FD to maximise their returns. If shareholders in a small company do not feel that the system was adequate and that more should have been done to prevent the situation arising, they have the option of changing the management.
It always makes me smile when pundits offer advice based on a single version of the story - which in this case is inevitably one sided. Sorry FD - I'm not pointing a finger, merely stating the obvious. Make a case and you get shot at. Sad but true. and if I am considered to be pointing the accusing finger then there are always 3 pointing back. (Think about it.)
When people take on the concept of responsibility as an alternative, value laden language like 'blame' and 'fault' are unnecessary. It makes a rational analysis of the situation more easy and the guilt that goes with 'fault' evaporates.
That's why in any business I'm involved with I say this: 'no-one is to blame but everyone is responsible.'
Taking responsibility does not automatically translate into people falling on the proverbial sword when things go out of whack. But it sharpens the senses to risk.
The problem with most preventative control systems is that they get built for a point in time and rarely adapt to changing conditions.
There's no legislating against determined criminals and fraudsters.
Full marks to FD for taking the responsible approach. It's more than many are prepared to do.
Whilst the final buck stops with the FD, I agree with the others that this event is not the ultimate fault of the FD. The fact remains that pretty much all control systems rely on human input - and where you get human input you also get human error. I was always taught that preventative control systems are there to detect human error as well as fraud. But when you have deliberate fraud (items going missing) that is exasperated by human error (the stock controller) then you cannot be as black and white as saying that the FD failed, end of story.
Unless he was the one to personally check the stock himself, or the one to check the stock controllers work, then the only failure of the FD was in trusting the staff involved. The preventative systems worked, as they detected the problem before it became bigger.
When dealing with large companies over varied sites (as the FD's company seems to be) then it's impossible to have controls in place that will detect something like this outside of the usual monthly management reporting - bearing in mind that we're dealing with suspected fraud as well as error of judgement. The only way of doing it is to have more chiefs and less indians - and then you have less people doing the actual work while the chiefs take the profitability away in their wages and all to check work that is 90% accurate anyway.
If the FD had not responded to the situation in the speedy way he did then I would agree that he had failed. But once detected the problem was stopped. Lessons have been learnt and cotrol systems have been adjusted.
The only real failure of the FD I think is that he's too honest, and trusts people to be the same. 'You need a thief to catch a thief'
In his little world FD is king and is not used to criticism. When it comes from outside he is far too sensitive.
The facts are:
FD is responsible for financial controls.
Certain preventative controls failed in this instance.
Since he is responsible for those controls, FD failed too.
If the buck doesn't stop with FD, where does it stop?
at one point a sartoris was an offending calendar, but perhaps it is more in the nature of an opinion which few others share?
although you are to set up a more formal evaluation and monitoring of certain key controls, what would seem evidential is that the controls you have in place worked. And your response seemed to be proportionate. The response of your external auditors was pure opportunism which rightly has flavoured your opinion of them
most of the stuff in the sartoris post is errant nonsense - I would igonre it.
Found this and just had to share it :D
Talking about stock control in Peru
"The king had auditors who went out to check the inventories - the Knot Counters. If the inventory was short the warehouseman lost his head on the spot. The occasional cost of control was high (particularly to the warehouseman who was so unfortunate as to be short). However the total cost was low because an occasional example served to remind everyone of the need for care and attention to recordkeeping and regular internal checks." (William E. "Bill" Thompson, Internal Controls: Design and Documentation, AICPA, Micro-Mash 2004)
From the same source,
"One control objective in the totalitarian environment was the continuing proof that the head of state was omnipotent. However the modern evolution of this theory has not passed completely from the scene. Auditors, regulatory examiners, and an occasional manager have recommended control procedures whose cost exceeds the benefits derived from those procedures."
Somehow these quotes seemed so appropriate.
The value added by the existence of a control should outweigh the cost of the control.
If every single number everywhere had to be 100% controlled 100% of the time we would be so encumbered with controls that operational effectiveness and efficiency would cease to exist. (Imagine struggling down the high street with a dinghy and oars every time you went shopping just in case there should be flash floods...)
Often you should be able to figure out whether the value added by a control is justifiable against its cost but if you want to be scientific about it (e.g to justify budget allocation for the control) then:
Number of items or transactions susceptible to the risk
multiplied by
£value of the average transaction
multiplied by
probability of occurence
(or rate of occurence if it happens frequently)
multiplied by
The effectivess of the control
(i.e. what % of errors do you expect it to prevent?)
Gives you the value of the control
less
Cost of control
Gives you the net gain or loss from the existence of the control
If we all had to shoot ourselves if we made a mistake the human race would be extinct.
Anyone who claims to have never made a mistake :
(a) is lying; or
(b) is suffering from amnesia; or
(c) has an incorrect definition of mistake; or
(d) never ever takes any form of risk whatsoever - getting out of bed classes as a dangerous activity for this purpose
Life is about learning from both successes and mistakes. How do you learn to deal with failure and overturn it to create success if you never make a msitake (see what I mean - typo says I should learn to edit in word and paste into this comment form)?
Think of errors in terms of a framework of internal controls. Any good control framework has preventative controls to stop things going wrong and detective controls in case the preventative controls fail.
Thus the subprocess for this element of life is
- Preventative control - If at all possible anticipate error (no-one can 100% of the time otherwise we would be infallible)
Take preventative action
If you failed to identify and/or prevent the error then the subsequent steps in the process are
- make mistake
- detect mistake
- learn from mistake
- avoid repeating mistake
- move on
John lists my catalogue of failings.
Should I quietly shoot myself now, or continue within the constraints of my obvious fallibility?
Any suggestions?
And can anyone reassure me that they too might have made the odd error along the way before I go and beat myself to a pulp? :-)
We had quite a debate about this in October/ November 2004.
Regrettably, FD seems to have forgotten the lessons of that debate in that he has been considering engaging the auditors to review internal controls that they would subsequently audit.
As though the auditors are likely to criticise or even admit a fault in a system they had just received a hefty fee for putting right!
FD should recall the main conclusions of the previous debate:
(a) auditors should do the audit and nothing else;
(b) a different independent firm should do any other work.
The second point FD seems to have forgotten is that an audit of the accounts is automatically an audit of the management.
Wilful blindness prevented many contributors to the previous debate from seeing this obvious point. But it is nonetheless true.
Every figure in the accounts reflects in one way or another management performance. Since the auditors report on those accounts they automatically report on the performance of management.
Contrary to what FD suggests, the auditors are not there "to benefit us". They are there to check up on him and his fellow managers and from a critical and sceptical standpoint.
In this instance it is admitted that there has been a failure of management in that the control systems they are responsible for either were not adequate or were not adequately implemented or monitored.
In either case the failure is a a failure of FD and Ops since they pretty much run the company between them. It is understandable therefore that the auditors regard their failure as increasing the audit risk.
With audits, large companies are high risk simply because of the large numbers in the accounts. These companies usually have far better systems in place than smaller firms and are far more likely to spot any serious problems themselves. But these are the companies who can afford the fees without much discounting on time costs. Very few companies want an audit - or to pay for one - but audit costs are going up with a ridiculous amount of new regulations on which all staff in an audit firm have to be trained. Other costs such as insurance costs, institute subscription fees, & technical information costs are all soaring for these professional firms - whilst the number of companies requiring audits has dropped. These costs have to be covered somehow and fees will have to rise. Perks in audit firms are dying out fast. It's one thing blaming your audit firm - but it's increasingly an across the board problem. Of course you have to get the fee as low as you can - but costs on the other side are increasing rapidly thanks to recent audit regulations post Enron et al. If the increase is only small you have probably negotiated really well.
After years of the being the poor relation to the consulting crews, auditors now have the perfect excuse to hike fees. There is a sense among companies I speak with this is what's happening, using issues like ML and SarBox as a way of getting on equal terms with their consulting cousins. There's no other rational explanation for current fee levels in a profession where student numbers are falling. Unless of course the auditors are talking about their OWN liability. If that's the case then presumably they don't feel confident in what they're doing. Given the steady stream of audit criticism, is anyone surprised?
FD
The auditors have a statutory obligation to report if they suspect or have reasonable grounds to suspect anyone of money laundering (and the information came to them in the course of their professional work).
If an employee steals stock he commits a money laundering offence since he acquires 'criminal property' (an asset which he knows or suspects to be derived from crime - whether his own crime, as in this case, or someone else's).
So that is that.
You ask "What is the point of NCIS trying to do anything more?". Your comment is based on something of a misconception. NCIS do not "do" anything to criminals or suspected criminals. That is not their function. They receive and disseminate information. They are a clearing house for 'intelligence'.
They are adding about 10,000 reports each month to their database. Most of these reports originate from the High Street banks.
The NCIS database can be accessed directly by their users. This means that information about the auditor's suspicions concerning Mr X will be available to police, HMR&C, DWP, etc. They may take action based on it - but most likely will not in a case like this. However if the same Mr X turns up in another report, say, next year then the earlier report will also be borne in mind and the combined impact will be greater.
So it does not follow that one report leads to one action. It is not that sort of an input / output mechanism.
In one recent police investigation over 500 reports filed over a period of years were considered in order to build up a picture of criminal activity, following which several arrests were made.
The downside is that some suspicions filed with NCIS may be groundless or misconceived. The suspect will never know the report is there and will have no chance to put his explanation on file alongside the NCIS data.
Are many NCIS reports a waste of everyone's time? Undoubtedly - but it is a statutory obligation to file them!
If you are an MLRO you can get confidential one-to-one email support, information and NewsAlerts from my website www.mlrosupport.co.uk.
Thankfully I can leave this question to others to answer.
But I make this point. We can't prove a crime, although we certainly suffered a stock loss, and have lost 2 people as a result, one at least under suspsicion which cannot be proven. So what's the point of NCIS trying to do anything more?
If the auditors report, well they must - and I know they can't tell me either way - but it would seem daft if that was the case. Didn't I read about time wasting also being an offence when it came to reporting?
Should they report to NCIS?
I've been in a company that had external internal auditors (a well-known multinational mid-tier firm). I didn't rate their approach. Performing to budget on the job meant they lacked the freedom to really think about what they were looking at... It was better than no internal audit. But not as good as proper ownership of risk and control by management.
In terms of evaluating risks and controls i use the COSO model. Good controls are about managing to objectives.
Start with the business model - (inbound outbound, admin) and identfy the business objectives for each area of activity. Each objective will be linked to one or more purposes - Operating effectiveness and efficiency, reliability of financial reporting, compliance with laws and regulations, safeguarding of assets.
Identify the risks to acheiving those objectives.
Identify the controls necessary to manage exposure to those risks (design effectiveness)
Implement any additional/changed controls as necessary.
Assess the controls (operating effectiveness)
Using this in business I have found objectives that no-one had considered. Controls with no objective. Redundant controls. Missing controls.
You will find you have a lot of multiple relationships between risks and controls.
One control can affect exposure to several risks. One risk can be affected by several controls. So mapping these relationships in a matrix can be very helpful.
Brainstorming sessions are good. I often work with a processnig team - say AP and throw a session open to them. This gets ownership of risks and controls pushed down to a lower level and gives opportunity to educate on risk and control. People learn to see controls as having a purpose rather than being a pain. And you may be very pleasantly surprised by the ideas you get from other people.
The idea of getting in external auditors to review critical systems is thinking in the right box, but you would be better served by going for an internal audit risk based approach - identify the key systems, evaluate the risks, and then sign up to a 3 year audit plan. Many firms offer such a service, but it is a specialism and there is a potential conflict in asking the external auditors to undertake such an assignment. It would also reinforce the messages you are giving out about the importance of systems!
The FD's diary just gets better and better! I can't think of any other ongoing article that shows so much of how business decisions are made and the pressures on management. Being only a ACCA student, I'm learning so much from this diary and it's required reading for both me and my boyfriend.
So, when are we going to see this in the shops!?! I think these diaries should definitely be published in a book - in a couple of years (so the other employees of FD's company don't necessarily realise it's about them). It's a fascinating insight into management and the other side of the 'them and us'. Keep up the good diarying!!
FD is to be congratulated, in my view, on promptly dealing with the stock fraud issue. It appears that the problem is largely resolved with the departure of the two individuals apparently at the centre of the stock losses.
It is worth noting (for the wider public) that the real 'cost' of this fraud is not measured solely by the value of stock lost. There is also to be considered the legal fees and, probably more important, the management time 'wasted' and anxiety arising from the problem. There is also the need to find and train suitable replacement staff.
Take it from me, if the matter had progressed to a police enquiry and court prosecution these additional 'costs' would have increased exponentially!
The moral of the story is, I would suggest, prevention is better than cure.
As I sometimes (unhelpfully) say to clients dealing with a fraud they have suffered, "If I was you, I wouldn't start from here!"
I am not saying that, in FD's case, there was a lack of fraud prevention measures but in my experience many businesses do not have adequate deterrents in place. Alison Robinson's recent AccountingWEB article A quick guide to identifying financial crimes should be required reading!
David
d.winch@accountingevidence.com
How about implementing an appraisal system and including staff management as part of his performance criteria. You'll need to think about how to measure it. Maybe in part by requiring him to appraise staff underneath him.
The most effective I ever found (I was measured by it) was linked to an incentive plan. I had a set % bonus and this was allocated (in discussion with me) to the various performance goals. If I hit the goal I automatically got paid that part of my bonus.
I acheived!! Of course the targets need to be clearly defined, and clearly assessible for this to work.
